Posted
by
Soulskillon Sunday February 16, 2014 @12:10AM
from the if-only-there-were-a-way-to-crowdfund-better-security-precautions dept.

New submitter jbov writes "Kickstarter members received an e-mail at about 16:40 EST notifying them of a security breach. According to the e-mail, information including user names, encrypted passwords, mailing addresses, and phone numbers may have been revealed. Kickstarter members were urged to change their passwords. 'Older passwords were uniquely salted and digested with SHA-1 multiple times. More recent passwords are hashed with bcrypt.' Kickstarter claims that credit card information was not accessed during the breach. According to Kickstarter, law enforcement officials contacted the company on Wednesday night and alerted them that 'hackers had sought and gained unauthorized access to some of our customers' data.' Upon learning of the breach, Kickstarter closed the security breach and began strengthening security measures."

Or perhaps the person is simply ignorant of any evidence to support such claims which you apparently seem to possess in such abundance. I actually haven't seen anything to support it either, for that matter, so from where I sit, the allegation strikes me more as being an unprovable conspiracy theory, and I would consider the notion as improbable as well.

Suggesting that someone who simply disbelieves a criticism must somehow be lying to protect them is even at best a variant of ad-hominem, and at worst, indicative of a possibly less than clear grasp of what is actually real and what is not.

they did the right thing and contacted all the people who use KS and advised them to change their login. Unlike Adobe who still haven't contacted me....... With influence comes responsibility - KS has taken responsibility, Adobe never did.

Not only did Adobe email me and send me a letter about the whole thing, they gave me a free year subscription to Experian's identity theft protection services.Makes me wonder just how much info they lost about me.

No, you're missing the point. This is how these hackers work, more or less:

1) They get your account information from one source. Preferably with password (as they did from Kickstarter).

2) They try that password on the various accounts they have information for. They can also try to brute-force your passwords, or use "social engineering" to get the password for an account or change it to one of their own.

3) Profit.

So, yeah... it can be damaging to even just have the name of your Amazon account.

Um, yes. In order to actually operate a Kickstarter project, you are required to give them details of an Amazon account. They only accept and transfer money via Amazon.

No, they use Amazon PAYMENTS, which while requiring an Amazon account, does not need the originating site to know it.

What happens is KickStarter forwards your pledge amount to Amazon. Amazon then asks you to log in and find out your method of payment and all that. It then gives the site back a payment token. Kickstarter uses that payment tok

The notifications seem to be going out in waves, slowly. I'm not sure why. Across three folks I know (including myself) with Kickstarter accounts, the emails themselves all seem to have gone out within minutes of each other, but one of them arrived just minutes ago.

I'm guessing with the volume of emails, it got throttled along the way. You can see this in the Received: headers:

Notice that the earlier time stamps (corresponding to when the emails were generated) are around 21:18 GMT, but the arrival timestamps are around 21:49 PST, about 8 and a half hours later. And that's about how far apart our emails arrived. I imagine more are in the queue.

(And yay crapflooders for making it impossible to format things usefully in Slashdot comments.)

As far as passwords go, I'm not worried about anyone actually hacking my Kickstarter password. It's a password unique to Kickstarter, and it was generated at random.org as a 13 character mixed-case alphanumeric password. Good luck reverse-hashing that. Even if you do, it won't get you much.

Why are we not using public private key infrastructure for online logins yet????? It's 2014, most people have been online for nearly twenty years and human beings are still using passwords that have to (generally speaking) be memorized which leads to poor password choices and repetition. This problem should have been solved YEARS ago.

Excuse me? A secret that never leaves my computer, at least not in any plaintext form (encrypt your private keys before exporting them, people!), is *way* more secure than a secret I need to provide over the Internet (even in an encrypted channel) and that the host I'm connecting to needs to store (even in a non-reversibly-encrypted form). If you don't think so, then there is something *very* wrong with the security of your box...

The way we do passwords now, even if you don't re-use the password, a single compromised host gives the attacker enough information to begin attempting to determine the login credentials of every single user on the site (and in many cases, those same credentials can be used on other sites too). Additionally, attacks can be made much faster using common password dictionaries and so on. In the case of a public-key system, all that the attacker would get is the public keys of every user on the site, but without the corresponding private keys - which they will never obtain from the compromised server, because the client never exposes them to the network - they can't obtain any user's login credentials. True, in the case of persistent malware on the server an attacker could hijack a user's session after login, but they would be unable to prevent the user from logging out or to log in again afterward, and they would be unable to try re-using credentials on other sites the user may have accounts on.

In fact, using public-key crypto is almost strictly as secure, or more so, than passwords. Sure, an attacker who targets a specific user's machine could potentially steal their secret key when the user unlocks it to log into a site, or steal it in its at-rest form (hopefully, encrypted with a password) and start brute-forcing that encryption. However, such an attacker could also have stolen a user's password database, or keylogged their password as they typed it into a site. If you just want to attack a single user, and you have the ability to compromise one of their hosts, it doesn't matter which system they use. However, if you can only attack a server (as is usually the case), public-key systems are way safer for the users.

The problem, of course, is how the user moves their secret key(s) from client to client. These days, almost everybody uses a number of different clients (your PCs, your workstations, your phone and/or tablet, your friends' phones, the library's PC, whatever) to access secured resources. There are a number of possible ways to transfer the private key(s) between all those things, but each has downsides. Oh, and the little problem of there not being any standard way (other than TLS client certs, which are not widely supported and arguably not the correct tool here) to use public keys to authenticate with a site right now, so something would need to be standardized and then implemented widely before it would be useful.

I have a better question. Why does Kickstarter store IDs or passwords AT ALL. Why do they not mandate federation.

They have Facebook login, but no Google or OpenID login. Why? And if I am using Facebook login then why do I STILL need to create a stupid Kickstarter.com password, I should be able to ONLY use Facebook.

Why do so few websites do ID federation properly. It is simply one of the best security options we have today, it makes life SO MUCH EASIER for the user, yet no sites properly use it.

I have a better question. Why does Kickstarter store IDs or passwords AT ALL. Why do they not mandate federation.

They have Facebook login, but no Google or OpenID login. Why? And if I am using Facebook login then why do I STILL need to create a stupid Kickstarter.com password, I should be able to ONLY use Facebook.

Why should we have a system with a single point of failure, when it makes it much harder for intruders if they have to break into every site and account separately?

Also, fuck Google, Facebook etc. They already have more than enough information about me.